\relax 
\providecommand\BKM@entry[2]{}
\providecommand\HyperFirstAtBeginDocument{\AtBeginDocument}
\HyperFirstAtBeginDocument{\ifx\hyper@anchor\@undefined
\global\let\oldcontentsline\contentsline
\gdef\contentsline#1#2#3#4{\oldcontentsline{#1}{#2}{#3}}
\global\let\oldnewlabel\newlabel
\gdef\newlabel#1#2{\newlabelxx{#1}#2}
\gdef\newlabelxx#1#2#3#4#5#6{\oldnewlabel{#1}{{#2}{#3}}}
\AtEndDocument{\ifx\hyper@anchor\@undefined
\let\contentsline\oldcontentsline
\let\newlabel\oldnewlabel
\fi}
\fi}
\global\let\hyper@last\relax 
\gdef\HyperFirstAtBeginDocument#1{#1}
\providecommand\HyField@AuxAddToFields[1]{}
\bibstyle{unsrt}
\BKM@entry{id=1,dest={636861707465722A2E31},srcline={151}}{4C697374206F662046696775726573}
\@writefile{toc}{\contentsline {section}{List of Figures}{5}{chapter*.1}}
\BKM@entry{id=2,dest={636861707465722A2E32},srcline={159}}{4C697374206F66205461626C6573}
\@writefile{toc}{\contentsline {section}{List of Tables}{6}{chapter*.2}}
\BKM@entry{id=3,dest={636861707465722E31},srcline={1}}{496E74726F64756374696F6E}
\BKM@entry{id=4,dest={73656374696F6E2E312E31},srcline={6}}{496E74726F64756374696F6E}
\BKM@entry{id=5,dest={73756273656374696F6E2E312E312E31},srcline={7}}{4D616C77617265}
\citation{article4}
\citation{kaspersky}
\citation{antivirus}
\citation{georg}
\@writefile{toc}{\contentsline {chapter}{\numberline {1}Introduction}{1}{chapter.1}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\newlabel{chap:1}{{1}{1}{Introduction\relax }{chapter.1}{}}
\@writefile{toc}{\contentsline {section}{\numberline {1.1}Introduction}{1}{section.1.1}}
\@writefile{toc}{\contentsline {subsection}{\numberline {1.1.1}Malware}{1}{subsection.1.1.1}}
\BKM@entry{id=6,dest={636861707465722E32},srcline={1}}{4261636B2067726F756E64}
\BKM@entry{id=7,dest={73656374696F6E2E322E31},srcline={6}}{566972757320746F74616C}
\BKM@entry{id=8,dest={73756273656374696F6E2E322E312E31},srcline={7}}{4D44352068617368}
\BKM@entry{id=9,dest={73756273656374696F6E2E322E312E32},srcline={8}}{5573696E6720766972757320746F74616C20746F2067657474696E672076656E646F72206E616D65}
\BKM@entry{id=10,dest={73656374696F6E2E322E32},srcline={9}}{50452066696C6520666F726D6174}
\BKM@entry{id=11,dest={73756273656374696F6E2E322E322E31},srcline={10}}{50452066696C65206F76657276696577}
\BKM@entry{id=12,dest={73756273656374696F6E2E322E322E32},srcline={11}}{504520466F726D6174}
\BKM@entry{id=13,dest={73656374696F6E2E322E33},srcline={12}}{504520686561646572}
\BKM@entry{id=14,dest={73656374696F6E2E322E34},srcline={13}}{4465636973696F6E2074726565}
\@writefile{toc}{\contentsline {chapter}{\numberline {2}Back ground}{3}{chapter.2}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\newlabel{chap:2}{{2}{3}{Back ground\relax }{chapter.2}{}}
\@writefile{toc}{\contentsline {section}{\numberline {2.1}Virus total}{3}{section.2.1}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.1}MD5 hash}{3}{subsection.2.1.1}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.1.2}Using virus total to getting vendor name}{3}{subsection.2.1.2}}
\@writefile{toc}{\contentsline {section}{\numberline {2.2}PE file format}{3}{section.2.2}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.1}PE file overview}{3}{subsection.2.2.1}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.2.2}PE Format}{3}{subsection.2.2.2}}
\@writefile{toc}{\contentsline {section}{\numberline {2.3}PE header}{3}{section.2.3}}
\@writefile{toc}{\contentsline {section}{\numberline {2.4}Decision tree}{3}{section.2.4}}
\BKM@entry{id=15,dest={636861707465722E33},srcline={1}}{50726F626C656D20616E64206F757220617070726F616368}
\BKM@entry{id=16,dest={73656374696F6E2E332E31},srcline={5}}{44796E616D696320616E616C79736973}
\citation{tony}
\citation{silvio}
\BKM@entry{id=17,dest={73656374696F6E2E332E32},srcline={11}}{53746174696320616E616C79736973}
\BKM@entry{id=18,dest={73756273656374696F6E2E332E322E31},srcline={12}}{4E2D6772616D73}
\BKM@entry{id=19,dest={73756273656374696F6E2E332E322E32},srcline={13}}{466C6F77206772617068}
\BKM@entry{id=20,dest={73756273656374696F6E2E332E322E33},srcline={14}}{417070726F616368}
\@writefile{toc}{\contentsline {chapter}{\numberline {3}Problem and our approach}{4}{chapter.3}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\newlabel{chap:3}{{3}{4}{Problem and our approach\relax }{chapter.3}{}}
\@writefile{toc}{\contentsline {section}{\numberline {3.1}Dynamic analysis}{4}{section.3.1}}
\@writefile{toc}{\contentsline {section}{\numberline {3.2}Static analysis}{5}{section.3.2}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.1}N-grams}{5}{subsection.3.2.1}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Flow graph}{5}{subsection.3.2.2}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.3}Approach}{5}{subsection.3.2.3}}
\BKM@entry{id=21,dest={636861707465722E34},srcline={1}}{496D706C656D656E746174696F6E}
\BKM@entry{id=22,dest={73656374696F6E2E342E31},srcline={6}}{4F7665722076696577}
\citation{tonylee}
\BKM@entry{id=23,dest={73656374696F6E2E342E32},srcline={25}}{436C617373696669636174696F6E206261736564206F6E206D616368696E65206C6561726E696E6720746563686E69717565}
\BKM@entry{id=24,dest={73756273656374696F6E2E342E322E31},srcline={26}}{50452066696C65206D6574612D64617461}
\citation{goppit}
\@writefile{toc}{\contentsline {chapter}{\numberline {4}Implementation}{6}{chapter.4}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\newlabel{chap:4}{{4}{6}{Implementation\relax }{chapter.4}{}}
\@writefile{toc}{\contentsline {section}{\numberline {4.1}Over view}{6}{section.4.1}}
\@writefile{lof}{\contentsline {figure}{\numberline {4.1}{\ignorespaces The system architecture.}}{7}{figure.4.1}}
\newlabel{fig:system_architec}{{4.1}{7}{The system architecture}{figure.4.1}{}}
\@writefile{toc}{\contentsline {section}{\numberline {4.2}Classification based on machine learning technique}{7}{section.4.2}}
\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.1}PE file meta-data}{7}{subsection.4.2.1}}
\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Layout a file in PE header format.}}{7}{figure.4.2}}
\newlabel{fig:peheader}{{4.2}{7}{Layout a file in PE header format}{figure.4.2}{}}
\BKM@entry{id=25,dest={73756273656374696F6E2E342E322E32},srcline={59}}{43726561746520747261696E696E672064617461}
\citation{virustotal}
\citation{fsecure}
\citation{fsecure}
\citation{fsecure}
\citation{fsecure}
\citation{fsecure}
\citation{fsecure}
\BKM@entry{id=26,dest={73756273656374696F6E2E342E322E33},srcline={85}}{436C617373696669636174696F6E}
\@writefile{lof}{\contentsline {figure}{\numberline {4.3}{\ignorespaces Layout of a file header}}{8}{figure.4.3}}
\newlabel{fig:fileheader}{{4.3}{8}{Layout of a file header\relax }{figure.4.3}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.2}Create training data}{8}{subsection.4.2.2}}
\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.3}Classification}{9}{subsection.4.2.3}}
\@writefile{lof}{\contentsline {figure}{\numberline {4.4}{\ignorespaces List malware family in our system}}{10}{figure.4.4}}
\newlabel{fig:familymalware}{{4.4}{10}{List malware family in our system\relax }{figure.4.4}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {4.5}{\ignorespaces Clustering method.}}{11}{figure.4.5}}
\newlabel{fig:clustering}{{4.5}{11}{Clustering method}{figure.4.5}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {4.6}{\ignorespaces Worm autorun decision tree.}}{11}{figure.4.6}}
\newlabel{fig:classificationdecision}{{4.6}{11}{Worm autorun decision tree}{figure.4.6}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {4.7}{\ignorespaces Malware classification system.}}{11}{figure.4.7}}
\newlabel{fig:classification}{{4.7}{11}{Malware classification system}{figure.4.7}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {4.8}{\ignorespaces Worm autorun decision tree.}}{11}{figure.4.8}}
\newlabel{fig:decisiontreeworm}{{4.8}{11}{Worm autorun decision tree}{figure.4.8}{}}
\BKM@entry{id=27,dest={636861707465722E35},srcline={1}}{4576616C756174696F6E}
\BKM@entry{id=28,dest={73656374696F6E2E352E31},srcline={2}}{636F6C6C656374696F6E}
\BKM@entry{id=29,dest={73656374696F6E2E352E32},srcline={21}}{5370656564206576616C756174696F6E}
\BKM@entry{id=30,dest={73656374696F6E2E352E33},srcline={23}}{456666656374697665206576616C756174696F6E}
\@writefile{toc}{\contentsline {chapter}{\numberline {5}Evaluation}{12}{chapter.5}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\newlabel{chap:5}{{5}{12}{Evaluation\relax }{chapter.5}{}}
\@writefile{toc}{\contentsline {section}{\numberline {5.1}collection}{12}{section.5.1}}
\@writefile{lof}{\contentsline {figure}{\numberline {5.1}{\ignorespaces Experimental result table}}{12}{figure.5.1}}
\newlabel{fig:numbermalware}{{5.1}{12}{Experimental result table\relax }{figure.5.1}{}}
\@writefile{toc}{\contentsline {section}{\numberline {5.2}Speed evaluation}{13}{section.5.2}}
\@writefile{toc}{\contentsline {section}{\numberline {5.3}Effective evaluation}{13}{section.5.3}}
\@writefile{lof}{\contentsline {figure}{\numberline {5.2}{\ignorespaces The best decision tree order.}}{13}{figure.5.2}}
\newlabel{fig:ordertree}{{5.2}{13}{The best decision tree order}{figure.5.2}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {5.3}{\ignorespaces Experimental result}}{14}{figure.5.3}}
\newlabel{fig:experimentalresult}{{5.3}{14}{Experimental result\relax }{figure.5.3}{}}
\BKM@entry{id=31,dest={636861707465722E36},srcline={1}}{436F6E636C7573696F6E}
\@writefile{toc}{\contentsline {chapter}{\numberline {6}Conclusion}{15}{chapter.6}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\newlabel{chap:6}{{6}{15}{Conclusion\relax }{chapter.6}{}}
\BKM@entry{id=32,dest={636861707465722E37},srcline={1}}{46757475726520776F726B}
\@writefile{toc}{\contentsline {chapter}{\numberline {7}Future work}{16}{chapter.7}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\newlabel{chap:7}{{7}{16}{Future work\relax }{chapter.7}{}}
\BKM@entry{id=33,dest={73656374696F6E2A2E34},srcline={196}}{5265666572656E636573}
\bibdata{reference/literature}
\bibcite{article1}{{1}{}{{}}{{}}}
\bibcite{rfc5}{{2}{}{{}}{{}}}
\bibcite{rfc1}{{3}{}{{}}{{}}}
\bibcite{article2}{{4}{}{{}}{{}}}
\bibcite{article5}{{5}{}{{}}{{}}}
\bibcite{article4}{{6}{}{{}}{{}}}
\bibcite{article6}{{7}{}{{}}{{}}}
\bibcite{rfc6}{{8}{}{{}}{{}}}
\bibcite{rfc7}{{9}{}{{}}{{}}}
\bibcite{rfc10}{{10}{}{{}}{{}}}
\bibcite{rfc8}{{11}{}{{}}{{}}}
\bibcite{rfc9}{{12}{}{{}}{{}}}
\bibcite{rfc3}{{13}{}{{}}{{}}}
\@writefile{toc}{\contentsline {chapter}{References}{ii}{section*.4}}
\bibcite{rfc4}{{14}{}{{}}{{}}}
\providecommand\NAT@force@numbers{}\NAT@force@numbers
